-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CA20121001-01: Security Notice for CA License Issued: October 01, 2012 CA Technologies Support is alerting customers to two potential risks in CA License (also known as CA Licensing). Vulnerabilities exist that can allow a local attacker to execute arbitrary commands or gain elevated access. CA Technologies has issued patches to address the vulnerabilities. The first vulnerability, CVE-2012-0691, occurs due to insecure use of system commands. An unprivileged user can exploit this vulnerability to execute commands with system or administrator privileges. The second vulnerability, CVE-2012-0692, occurs due to inadequate user validation. An unprivileged user can exploit this vulnerability to create or modify arbitrary files and gain elevated access. Risk Rating High Affected Platforms AIX 5.x DEC HP-UX Linux Mac OS X Solaris Windows Affected Products CA Aion Business Rules Expert r11.0 CA ARCserve Backup r12.5, r15, r16 CA ARCserve Central Protection Manager r16 CA ARCserve Central Reporting r16 CA ARCserve D2D r15, r16, r16 On Demand CA ARCserve Central Host Based VM Backup (formerly CA ARCserve Host Based VM Backup) r16 CA ARCserve Central Virtual Standby (formerly CA ARCserve Virtual Conversion Manager) r16 CA Automation Point r11.2, r11.3 CA Client Automation (formerly CA Desktop and Server Management) r12.0, r12.0 SP1, r12.5 CA Common Services (CCS) r11.2 SP2 CA ControlMinder (formerly CA Access Control) 12.5, 12.6 CA ControlMinder for Virtual Environments (formerly CA Access Control for Virtual Environments) 2.0 CA Database Management r11.3, r11.4, r11.5 CA Directory 8.1 CA Easytrieve for Windows and UNIX 11.0, 11.1 CA Easytrieve for Linux PC 11.6 CA Erwin Data Modeler r7.x CA Fast Unload for Distributed Databases 11.3, 11.4, 11.5 CA Gen r8 CA IdentityMinder (formerly CA Identity Manager) r12 CR16 and earlier CA Insight Database Performance Manager 11.3, 11.4, 11.5 CA IT Asset Manager (ITAM) r12.6 and earlier CA IT Client Manager r12.0, r12.0 SP1, r12.5 CA IT Inventory Manager r12.0, r12.0 SP1, r12.5 CA NSM r11.0, r11.1, r11.2, r11.2 SP1, r11.2 SP2 CA Output Management Web Viewer 11.5 CA Plex r6, r6.1 CA Repository for Distributed Systems r2.3 CA Service Accounting r12.5, r12.6 CA Service Catalog r12.5, r12.6 CA Service Desk Manager r12.1, r12.5, r12.6 CA Single Sign-On (SSO) r8.1, r12.0, r12.1 CR4 and earlier CA Software Change Manager 12.0 FP2, 12.1, 12.1 SP1, 12.1 SP2, 12.1 SP3 CA Software Compliance Manager r12.0, r12.6 CA Storage Resource Manager (SRM) 11.8, 12.6 CA TSreorg for Distributed Databases 11.3, 11.4, 11.5 CA Unicenter Asset Portfolio Management r11.3, r11.3.4, r12.6 CA Workload Automation AE 4.5.0, 4.5.1, r11, r11.3 CA Workload Automation DE r11.3 CA XCOM Data Transport Gateway PC Linux r11.5 CA XCOM Data Transport Gateway Windows r11.5 CA XCOM Data Transport for PC Linux r11.5 CA XCOM Data Transport for Windows r11.5 CA XCOM Data Transport Management Center for PC Linux r11.5 CA XCOM Data Transport Management Center for Windows r11.5 Affected Components CA License 1.90.02 and earlier Non-Affected Products CA ControlMinder (formerly CA Access Control) 12.6 SP1 CA Client Automation 12.5 SP1 CA Directory r12.0 SP1 or later CA Gen r8.5 CA IdentityMinder (formerly CA Identity Manager) r12.5 CA IT Client Manager r12.5.SP1 CA IT Inventory Manager r12.5.SP1 CA Plex r7.0 CA Service Accounting r12.7 CA Service Catalog r12.7 CA Service Desk Manager r12.7 CA Single Sign-On (SSO) r12.1 CR5 CA Storage Resource Manager (SRM) 12.6 SP1 CA Workload Automation DE r11.1 (does not use CA License) Non-Affected Components CA License 1.90.03 or later How to determine if the installation is affected All versions of CA License before 1.90.03 are vulnerable. The installed version of CA License can be obtained by using the “lic98version” program. Lic98version retrieves the version of CA License installed on a machine along with the version of specific individual files. The version information is written to the lic98version.log file located in the CA License installation location, and is also displayed on the console. Solution CA has issued patches to address the vulnerability. For all CA product installations on Linux, please note these Linux-specific instructions: 1. First, make backups of the ca.olf file and the lic98.dat file. 2. Uninstall the existing/old version of CA License. 3. Perform the installation of CA License 1.90.04. 4. Confirm the successful installation of 1.9.04, and then replace the existing ca.olf file and lic98.dat file with the files you backed up in step 1. If additional information is required, please contact CA Technologies Support at https://support.ca.com/ CA Aion Business Rules Expert r11.0: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA ALP License Update for Windows: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={2B524F D2-9275-4820-997F-E9C0BC0DE768} CA ARCserve products: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA Automation Point r11.2: Install SP5 when available. CA Automation Point r11.3: Install SP2, which uses CA License v1.90.04. CA Client Automation r12.0, r12.0 SP1, r12.5: Upgrade to r12.5 SP1, or download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA Common Services (CCS) r11.2 SP2: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA ControlMinder (formerly known as CA Access Control) 12.5, 12.6: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA ControlMinder for Virtual Environments 2.0 (formerly known as ACVE): Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA Database Management r11.3, r11.4, r11.5: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA Directory 8.1: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA Easytrieve 11.0, 11.1: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA Easytrieve 11.6 for Linux PC: Download and install CA License v1.90.04 or later: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA Erwin Data Modeler r7.x: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA Fast Unload for Distributed Databases 11.3, 11.4, 11.5: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA Gen r8: Upgrade to CA Gen r8.5, or download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA IdentityMinder (formerly known as CA Identity Manager) r12 CR16 and earlier: Upgrade to r12.5, or download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA Insight Database Performance Manager 11.3, 11.4, 11.5: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA IT Asset Manager (ITAM) r12.6 and earlier: Apply RI40652 for UAPM 11.3.4 Apply RI40653 for APM 12.6 Apply RI40654 for CASWCM 12.6 Apply RI40655 for CASWCM 12.0 CA IT Client Manager r12.0, r12.0 SP1, r12.5: Upgrade to r12.5 SP1, or download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA IT Inventory Manager r12.0, r12.0 SP1, r12.5: Upgrade to r12.5 SP1, or download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA NSM r11.0, r11.1, r11.2, r11.2 SP1, r11.2 SP2: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA Output Management Web Viewer 11.5: Apply RI36100 CA Plex r6.1: Upgrade to CA Plex r7.0 CA Repository for Distributed Systems r2.3: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA Service Accounting r12.5: Apply RO40603 (PIB RI40667) CA Service Accounting r12.6: Apply RO40613 (PIB RI40669) CA Service Catalog r12.5: Apply RO40603 (PIB RI40667) CA Service Catalog r12.6: Apply RO40613 (PIB RI40669) CA Service Desk Manager r12.1, r12.5, r12.6: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA Single Sign-On (SSO) r8.1, r12.0, r12.1 CR4 and earlier: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: (Note that you will need to stop all SSO server services (including Access Control and Directory) before upgrading the License component.) https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA Software Change Manager 12.0 FP2, 12.1, 12.1 SP1, 12.1 SP2, 12.1 SP3: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA Software Compliance Manager r12.0: Apply RI40655 CA Software Compliance Manager r12.6: Apply RI40654 CA SRM 11.8: Apply RI35825 (CA License Vulnerability Fix) CA SRM 12.6: Apply RI35823 (CA License Vulnerability Fix) CA TSreorg for Distributed Databases 11.3, 11.4, 11.5: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA Unicenter Asset Portfolio Management r11.3, r11.3.4: Apply RI40652 CA Unicenter Asset Portfolio Management r12.6: Apply RI40653 CA Workload Automation AE 4.5.0, 4.5.1, r11, r11.3: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA Workload Automation DE r11.3: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={861347 B7-543B-4345-B8FB-E840A0B72BFF} CA XCOM Data Transport Gateway PC Linux r11.5: Apply RI36093 CA XCOM Data Transport Gateway Windows r11.5: Apply RI36094 CA XCOM Data Transport for PC Linux r11.5: Apply RI36091 CA XCOM Data Transport for Windows 11.5: Apply RI36090 CA XCOM Data Transport Management Center for PC Linux 11.5: Apply RI38961 CA XCOM Data Transport Management Center for Windows 11.5: Apply RI38984 Workaround None References CVE-2012-0691 – CA License system command usage CVE-2012-0692 – CA License user validation weakness Acknowledgement CVE-2012-0691 – Raphael Rigo, ANSSI (French Network and Information Security Agency) CVE-2012-0692 – Raphael Rigo, ANSSI (French Network and Information Security Agency) Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at https://support.ca.com/ If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Thanks and regards, Ken Williams, Director CA Technologies Product Vulnerability Response Team CA Technologies Business Unit Operations wilja22@ca.com Copyright (C) 2012 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.9.1 (Build 287) Charset: utf-8 wj8DBQFQafI7eSWR3+KUGYURAm8UAKCW9a/UaoyzeP8Ja/c9EPd0Gqol4ACdErwZ bhKZxUlw5RP4fB9DlbfU/gk= =AEEO -----END PGP SIGNATURE-----